cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 5

Firewall blocking events sent back to ePO ?

According to KB65559 (https://kc.mcafee.com/corporate/index?page=content&id=KB65559)  Firewall blocking events can't be seen in the ePO console ?

Do you know any way possible to get them ?

Thanx

Thibo

4 Replies
Highlighted

Re: Firewall blocking events sent back to ePO ?

Hi,

I am aware of the fact that the blocked events can be viewed on the client side under the activity log, but is there no way to get all the events on the EPO to correlate all the events from the endpoints. Please assist. We are using EPO 4.5

Regards

Re: Firewall blocking events sent back to ePO ?

This won't be a satisfying answer but you really don't want them. It is quite common for firewalls to block more traffic than they allow. This isn't bad per se, just that the firewall is ignoring unneeded traffic. The reason Host IPS doesn't communicate up the logs is a volume issue --- You could possibly be generating an event for every single firewall rule match. And that would really be a disaster for your SQL admin.

However, I think it is an excellent FMR to ask for the ability to pull these logs remotely for inspection from time to time. We just don't want to auto-collect these. That would really be bad.

Highlighted

Re: Firewall blocking events sent back to ePO ?

The version 8.0 of HIPS can collect events blocked by Firewall?

Although it is not so automatic, it would be nice to have this feature on demand.

Highlighted

Re: Firewall blocking events sent back to ePO ?

The Firewall rule which you need to monitor for a specific or multiple system.

Just Duplicate the assigned IPS rule give it a new name & type the IPS Signature 3702 and make sure its severity is set to high.

Go back to Firewall policy assigned to machine or group of the machine and check the box "Treat matched traffic as Intrusion" Save the firewall rule and assign to machine where you want to monitor Firewall logs from ePO.

Send a wake up agent and you will be able to see the firewall logs on ePO console.

**Note: This is not recommended because that can fill the DB by Firewall logs USE this only for troubleshooting purpose & that will cut the dependency of collect activity log from the machine**

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community